In our jobs as security professionals we are asked to do two things which are often looked at as one in the same – “secure the organization” and “reduce risk”. I think a lot of security folks think of what they do as “making the organization more secure” but I’d like to take a second look at that and argue that if you are doing only this, you might not be actually reducing risk.
Read more…
There are a million ways to create a malicious USB key – here is one more which may or may not already be out there. In recent tests, this worked pretty well on PC’s running XP – Vista & Windows 7 appear more dicey.
In conducting some recent tests I needed something that was a bit more likely to get the data I need and less likely to get picked up by Virus Scanners. This article describes a combination of techniques to achieve a USB key that operates silently & remotely so that key recovery is not required to know who inserted the key or to gather data from their system. The attack focused on Windows as the easiest platform to attack and leverages the capabilities of the Sandisk U3 USB key and a meterpreter binary.
I’m using this for awareness training but you can use your imagination to come up with other options you can try out with permission.
Read more…
For the last year I’ve had a full time gig to build the InfoSec program at a small company. This is a company who had no prior security program and needed to have one built. Looking back on the last year there were a few things I did right, but plenty of things that didn’t go as expected. At the risk of putting my annual review out here for public scrutiny, lets talk about what I’ve learned and make some fun of us security professionals… at my expense.
Read more…
